21 Nov Multimedia overwriter with Spy features Dmitry Bestuzhev
11 Sep Kimsuky APT: Operation’s possible North Korean links uncovered Dmitry Tarakanov
11 Feb The ‘Chupa Cabra’ malware: attacks on payment devices Fabio Assolini
20 Oct The Mystery of Duqu: Part One Aleks
19 Oct Duqu FAQ Ryan Naraine
18 Oct Federal Trojan's got a "Big Brother" Tillmann Werner
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
For several months, we have been monitoring an ongoing cyber-espionage campaign against South Korean think tanks. There are multiple reasons why this campaign is extraordinary in its execution and logistics. It all started one day when we encountered a somewhat unsophisticated spy program that communicated with its “master” via a public e-mail server. This approach is rather inherent to many amateur virus-writers.
However, there were a few things that attracted our attention:
The complete path found in the malware presents some of the Korean strings:
The “rsh” word, by all appearances, means a shortening of “Remote Shell” and the Korean words can be translated in English as “attack” and “completion”, i.e.:
We managed to identify several targets. Here are some of the organizations that the attackers were interested in targeting:
|The Sejong Institute is a non-profit private organization for public interest and a leading think tank in South Korea, conducting research on national security strategy, unification strategy, regional issues, and international political economy.|
You’ve probably already heard about the 'Chupa Cabra', literally a "goat sucker". It’s a mythical beast rumored to inhabit parts of the Americas. In recent times it has been allegedly spotted in Puerto Rico (where it was first reported), Mexico and the United States, especially in the latter’s Latin American communities. The name Chupa Cabra has also been adopted by Brazilian carders to name skimmer devices, installed on ATMs. They use this name because the Chupa Cabra will “suck” the information from the victim’s credit card.
The Brazilian media regularly shows videos of bad guys installing their Chupa Cabra onto an ATM. Some of them are unlucky, or incompetent, and get picked up on security cameras and caught by the cops.
That’s what makes installing an ATM skimmer a risky business – and that’s why Brazilian carders have joined forces with local coders to develop an easier, more secure way to steal and clone credit card information. From this unholy alliance, the ‘Chupa Cabra’ malware was born.
First of all, we feel it necessary to clarify some of the confusion surrounding the files and their names related to this incident. To get a full understanding of the situation you only need to know that we’re talking about just two malicious programs here (at a minimum) - the main module and a keylogger. All that has been mentioned in last 24 hours about connections between Duqu and Stuxnet is related mostly to the first one - the main module.
The main module consists of three components:
The module is very similar to Stuxnet - both in structure and in behavior. However, the name Duqu has almost no connection with it. This name is based on the names of the files that are related to a completely different malicious spy-program!
This second malicious program, which is basically a keylogger (but is also able to collect other types of information) was discovered on the system of one of the victims together with the main module described above. Because of this fact, plus the main module’s ability to download other components, it was assumed that the main module and the keylogger were somehow related to each other. While working in a system, the keylogger stores collected data in files with names like ~DQx.tmp. So the name of the main module – Duqu – was given based on these files.
But actually, the code of the Trojan-Spy in part proves the connection between it and the main module, and it was probably downloaded by the main module sometime earlier. But as per its functionality, it is an independent malicious application able to work without the main module. At the same time, the main module is able to work without the Trojan-Spy. However, the connection between the keylogger and Stuxnet is not so obvious, and that’s why it’s possible – at a stretch – to perhaps call it a grandchild of Stuxnet, but certainly not its child :)
This is an active investigation by Kaspersky Lab's Global Research & Analysis Team. We will be updating this FAQ document as necessary.
Duqu is a sophisticated Trojan which seems to have been written by the same people who created the infamous Stuxnet worm. Its main purpose is to act as a backdoor into the system and facilitate the theft of private information. This is the main difference when compared to Stuxnet, which was created to conduct industrial sabotage. It's also important to point out that while Stuxnet is able to replicate from one computer to another using various mechanisms, Duqu is a Trojan that doesn't seem to replicate on its own.
Unlike Stuxnet, Duqu doesn't target PLC/SCADA equipment directly, although some of its subroutines could be used to steal information related to industrial installations. It appears that Duqu was created in order to collect intelligence about its targets, which can include pretty much anything that is available in digital format on the victim’s PC.
In the cases we have analysed, Duqu infects a computer through a targeted attack involving a Word document which exploits the CVE-2011-3402 vulnerability. This is a 0-day vulnerability in the Windows kernel component Win32k.sys which allows the attackers to run code with the highest privilege level, bypassing pretty much most of the protection mechanisms from Windows or security software. According to our knowledge, Duqu is the only malware using this vulnerability to infect computers. All Kaspersky Lab security solutions detect this vulnerability under the name Exploit.Win32.CVE-2011-3402.a as of November 6, 2011.
There is indeed a 0-day vulnerability being used to infect computers in the initial phase. Microsoft released an advisory (2639658) with basic information and mitigation steps.
Duqu was brought to the attention of the security community by the Hungarian Research Lab CrySyS. They were the first to point out the resemblance to Stuxnet and perform what remains the most thorough analysis of the malware yet.
The first Duqu attacks were spotted as early as mid-April 2011. The attacks continued in the following months, until October 18, when news about Duqu was made public.
It appears that there are at least seven variants of the Duqu drivers, together with a few other components. These are all detected with different names by various anti-virus companies, creating the impression that there are multiple different variants. At the time of writing, we are aware of two Infostealer components and seven different drivers. Additionally, we suspect the existence of at least another Infostealer component which had the capability to directly search and steal documents from the victim's machine.
While there are indeed reports indicating that the main goal of Duqu is to steal information from CAs, there is no clear evidence at this time to support this claim. On the contrary, we believe the main purpose of Duqu was different and CAs were just collateral victims.
One suspicion is that Duqu was used to steal certificates from CAs that can be used to sign malicious code in order to make it harder to catch. The functionality of the backdoor in Duqu is actually rather complex and it can be used for a lot more. Basically, it can steal everything, however, it looks like attackers were particularly interested in collecting passwords, making desktop screenshots (to spy on the user) and stealing various kinds of documents.
The initial Duqu C&C server, which was hosted in India is no longer active. Just like in the case of Stuxnet, it was pulled offline pretty quickly once the news broke. In addition to this, we are aware of another C&C server in Belgium, which was also quickly taken offline. Actually, it appears that every single Duqu targeted attack used a separate C&C server.
Maybe the author was a fan of round numbers, such as 6x6? :) Actually, the time for which Duqu is running in the system is defined by the configuration file and varies between the attacks. We have also seen instances where the duration was set to 30 days.
The same gang who was behind Stuxnet. Curiously, they seem to have picked up an interest in astronomy; the infostealer executable has a portion of a JPEG file picked up by the Hubble telescope (“Interacting Galaxy System NGC 6745”):
The picture portrays the aftermath of direct collision of two galaxies(!), several million of years ago. You can read the story here.
UPDATE (November 15, 2011):
When activated, the main Duqu program body connects to its C&C server and downloads updates and supplemental modules. One such module is the Duqu "infostealer," for which two versions are known and others are believed to have existed at various points in the time.
The "infostealer" module is downloaded in memory and executed through the process injection technique used by Stuxnet and Duqu to avoid temporary files. This is done in order to make sure that the "infostealer" component (and other Duqu updates) will not be intercepted or left behind on an infected machine. It also means that they have a limited lifetime, basically until the next system reboot.
The most powerful version of the "infostealer" has the ability to intercept keystrokes, it makes screenshots of the whole screen (first time) and of the active window, collects the IE browsing history and various data related to the system network configuration. There is also code which can do browsing of network shares. All this information is nicely packaged into a file that is written into the %TEMP% folder by default. It is a compressed BZIP2 format with modified headers. Thanks to the BZIP2 compression, the files are smaller than you'd think.
The "infostealer" components we have seen create files with the name "~DQx.tmp". In addition to this, we are aware of other files with the name "~DFxxxxx.tmp" and "~DOxxxxx.tmp". The "DF" and "DO" have a similar format and appear to have been generated by an earlier version of the "infostealer". They also contain more information, including various files the victim PC such as Word or Excel documents. The "~DF" files are generally much bigger, due to their additional file content.
In all cases, they are easy to recognize by the header "ABh91AY&SY". If you find such files in your PC then most likely you've been a victim of Duqu. If you'd like to scan your system for such files, the nice people at CrySyS have a set of tools that can help.
Duqu and Stuxnet have a lot of things in common. Usage of various encryption keys, including ones that haven't been made public prior to Duqu, injection techniques, the usage of zero-day exploits, usage of stolen certificates to sign the drivers, all of these make us believe both have been written by the same team.
So, what does that mean exactly? Simply put, different people might have worked on Duqu and Stuxnet, but most likely they worked for the same "publishing house." If you want an analogy, Duqu and Stuxnet are like Windows and Office. Both are from Microsoft, although different people might have worked on them.
In the incidents we have analyzed, Duqu arrives in the system in the form of a Microsoft Word Document. The document contains an exploit for the vulnerability known as CVE-2011-3402. This is a buffer overflow in a function of Win32k.sys which deals with True Type fonts. To exploit this specific vulnerability, an attacker needs to craft a special True Type Font and embed it into a document, for instance, a Word Document.
Now, for the connection part - in the incident we've analyzed (and this is also true for the other known incident), the attackers used a font presumably called "Dexter Regular", by "Showtime Inc.," (c) 2003. This is another prank pulled by the Duqu authors, since Showtime Inc. is the cable broadcasting company behind the TV series Dexter, about a CSI doctor who also happens to be a serial killer who avenges criminals in some post-modern perversion of Charles Bronson's character in Death Wish.
We hope they are just fans of Dexter.
Interestingly, the same constant can be found in Duqu as well. The Hungarian CrySyS lab was the first to point out the usage of 0xAE790509 in Duqu. In the case of Stuxnet, the integer 0x19790509 is used as an infection check; in the case of Duqu, the constant is 0xAE790509.
What is less known is that 0xAE790509 was also used in Stuxnet, however, prior to Duqu this was not included in any of the public analyses we are familiar with.
There are also many other places where the constant 0xAE is used, both in Duqu and Stuxnet.
Finally, the constant 0xAE240682 is used by Duqu as part of the decryption routine for one of the known PNF files. In case you are wondering, 24 June 1982 is indeed an interesting date - check out the case of BA flight 9.
* Research by Kaspersky Lab Global Research & Analysis Team.
Costin Raiu of Kaspersky Lab's Global Research and Analysis Team talks about the investigation into Duqu, the likelihood that it was written by the same team as Stuxnet, whether a government is behind its development and what mistakes the authors made.
Download the podcast from the Threatpost site.
About two weeks ago, the German Chaos Computer Club (CCC) has published an analysis report of a backdoor trojan that they claim had been used by German police during investigations in order to capture VoIP and IM communication on a suspect's PC. Our friends over at F-Secure published a blog post last week where they wrote about another file that, according to them, seemed to be the dropper component of the trojan. They were kind enough to share the MD5 hash of the file, so we could pull it from our collection. Stefan and I took a closer look.
The dropper carries five other binaries in its resource table, so there are six components in total – each with a different purpose – all of which have been analyzed by us. Amongst the new things we found in there are two rather interesting ones: firstly, this version is not only capable of running on 32 bit systems; it also includes support for 64 bit versions of Windows. Secondly, the list of target processes to monitor is longer than the one mentioned in the CCC report. The number of applications infected by the various components is 15 in total.